CVE-2024-45607 – whatsapp-api-js

Package

Manager: npm
Name: whatsapp-api-js
Vulnerable Version: >=4.0.0 <4.0.3

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N

EPSS: 0.00067 pctl0.21034

Details

whatsapp-api-js fails to validate message's signature ### Impact Incorrect Access Control, anyone using the post or verifyRequestSignature methods to handle messages is impacted. ### Patches Patched in version 4.0.3. ### Workarounds It's possible to check the payload validation using the WhatsAppAPI.verifyRequestSignature and expect false when the signature is valid. ```ts function doPost(payload, header_signature) { if (whatsapp.verifyRequestSignature(payload.toString(), header_signature) { throw 403; } // Now the payload is correctly verified whatsapp.post(payload); } ``` ### References https://github.com/Secreto31126/whatsapp-api-js/pull/371

Metadata

Created: 2024-09-12T21:29:17Z
Modified: 2024-09-12T21:39:35Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/09/GHSA-mwhf-vhr5-7j23/GHSA-mwhf-vhr5-7j23.json
CWE IDs: ["CWE-347"]
Alternative ID: GHSA-mwhf-vhr5-7j23
Finding: F163
Auto approve: 1